Brazenly chopped from Ars;
[quote]Researchers from a little-known security software company named Sunbelt Software have seemingly uncovered a criminal identity theft ring of massive proportions. According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application—rumored to be called CoolWebSearch—they’ve discovered that the personal information of those “infected” was being captured and uploaded to a server.
One can only speculate about why someone would do such a thing; the amount of data that could be gathered would almost certainly be daunting for even a few people to sift through and exploit. On the other hand, the researchers at Sunbelt have personally uncovered the personal information of two individuals who, combined, could be taken for well over US$350,000.
The list of stolen information includes not only bank accounts but website passwords, eBay accounts, what sort of adult images you fancy, and, supposedly, even more. The researchers initially had tried in vain to get a hold of someone who could take action on this issue but didn’t get a response right away:
We have notified the FBI, but of course no response (too busy doing other more important things). We have notified a few of the parties involved…If anyone has any other ideas, send 'em to us. Right now, we’re sitting upon literally thousands of pages of stolen identities that are being used right now.
Good news came today, though, that the FBI had responded and are currently working the case. We’ve emailed Alex and tried to see if we could get any more details about the whole thing out of him, but at the time of publication, we had not received a response. Hopefully the people who’ve perpetrated this massive-scale theft of personal data can be quickly caught and brought to justice due to the quick actions of Alex Eckelberry and the researcher who discovered the crime, Patrick Jordan.
Updated (08/06/2005 4:24PM CDT): I’ve received a little bit more information on what’s going on from the employees of Sunbelt Software. What follows is more or less the exact email I received from Alex Eckelberry:
Basically, it went like this:
Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.
The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.
It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.
Updated (08/06/2005 5:38PM CDT): Here’s more information from Eric Sites, VP of R&D at Sunbelt:
While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the users internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage.
This piece ofspyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS.
This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.[/quote]
arstechnica.com/news.ars/post/20050805-5175.html
/thinks to self; I wonder how long before someone posts “I have a Mac! Neener neener neener!” 